Deploying Microsoft Sentinel Scheduled Analytics Rule with Bicep
Written on
Chapter 1: Introduction to Microsoft Sentinel and Bicep
This guide is designed to assist you in implementing Microsoft Sentinel within your system, particularly focusing on a scheduled analytics rule that detects matches across various data feeds for IP Indicators of Compromise (IOCs) associated with the IRIDIUM activity group. We will utilize Infrastructure-as-Code (IaC) through Azure Bicep.
Azure Bicep serves as a domain-specific language (DSL) that employs a declarative syntax for deploying Azure resources. Essentially, Bicep simplifies the process of creating Azure Resource Manager (ARM) templates, allowing you to define Azure resources in a more accessible manner. According to Microsoft Docs:
Once you've linked your data sources to Microsoft Sentinel, you can create tailored analytics rules to identify threats and unusual activities in your environment. These analytics rules monitor specific events or groups of events, notifying you when particular thresholds or conditions are met, generating incidents for your Security Operations Center (SOC) to analyze and respond to threats with automated tracking and remediation processes.
Prerequisites
- An active Azure account (you can sign up for free).
- Azure Bicep installed on your local machine.
- Azure PowerShell installed. Refer to: Install Azure PowerShell.
- A resource group within your Azure subscription.
Let's dive in!
Chapter 2: Overview of the Solution
We will create a Bicep template to set up a Microsoft Sentinel instance in your environment, along with a scheduled analytics rule that detects matches across different data feeds for IP IOCs linked to the IRIDIUM activity group.
The solution will consist of the following files:
- ๐ main.bicep: The Bicep template.
- ๐ azuredeploy.parameters.json: The parameter file containing values for deploying your Bicep template.
Section 2.1: Azure Bicep Template โ Parameters
Begin by creating a new file in your working directory called main.bicep. In this file, we will define the necessary parameters:
@description('Unique name for the scheduled alert rule.')
param ruleName string
param location string = resourceGroup().location
param sentinelName string
@minValue(30)
@maxValue(730)
param retentionInDays int = 90
Section 2.2: Azure Bicep Template โ Variables
Next, we will declare the following variables:
var workspaceName = '${location}-${sentinelName}-${uniqueString(resourceGroup().id)}'
var solutionName = 'SecurityInsights(${sentinelWorkspace.name})'
Section 2.3: Azure Bicep Template โ Resources
Now, we will define the resources required for our deployment:
resource sentinelWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
name: workspaceName
location: location
properties: {
sku: {
name: 'PerGB2018'}
retentionInDays: retentionInDays
}
}
This resource declaration creates a Sentinel workspace with specified properties.
Section 2.4: Analytics Rule Configuration
Next, letโs configure the analytics rule:
resource ruleGuid 'Microsoft.SecurityInsights/alertRules@2021-03-01-preview' = {
scope: sentinelWorkspace
name: ruleName
kind: 'Scheduled'
properties: {
displayName: 'Known IRIDIUM IP'
description: 'Identifies matches across various data feeds for IP IOCs related to the IRIDIUM activity group.'
severity: 'High'
enabled: true
query: 'let IPList = dynamic(["154.223.45.38","185.141.207.140","185.234.73.19","216.245.210.106","51.91.48.210","46.255.230.229"]); ...'
queryFrequency: 'P1D'
queryPeriod: 'P1D'
triggerOperator: 'GreaterThan'
triggerThreshold: 0
suppressionDuration: 'PT5H'
suppressionEnabled: false
tactics: ['CommandAndControl']
incidentConfiguration: {
createIncident: true
groupingConfiguration: {
enabled: false
lookbackDuration: 'PT5H'
}
}
eventGroupingSettings: {
aggregationKind: 'SingleAlert'}
}
}
Section 2.5: Parameters File Setup
Create a new file named azuredeploy.parameters.json to define the parameters for your deployment:
{
"contentVersion": "1.0.0.0",
"parameters": {
"ruleName": {
"value": "azinsiderRule"},
"sentinelName": {
"value": "azinsider"}
}
}
Section 2.6: Deploying the Bicep Template
To deploy your Bicep template, execute the following command:
az deployment group create --resource-group <your-resource-group> --template-file main.bicep --parameters azuredeploy.parameters.json
You can preview the deployment to ensure everything is set up correctly. Once confirmed, execute the deployment command to finalize the setup.
After deployment, you can verify its success through the Azure Portal to ensure that the rule is active within the Sentinel workspace.
For further assistance or contributions, feel free to check out the code for this solution at the provided link.
๐ Join the AzInsider email list here.
-Dave R.